From 2c377dcb7ef8fb3242e67e7cb43cfe91bd4c0f1d Mon Sep 17 00:00:00 2001 From: Harshit Singh Bhandari Date: Sun, 28 Jun 2026 23:24:43 +0530 Subject: [PATCH] ci(release): gate signed release on the release environment (#2249) The Desktop release fires on any desktop-v* tag push and consumes the repo-level signing secrets, so any write-access collaborator can cut a signed prod build. Reference the `release` environment from the build jobs so a designated reviewer must approve before the secrets are used. Takes effect once required reviewers are configured on that environment. Co-authored-by: Claude Opus 4.8 --- .github/workflows/frontend-release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/frontend-release.yml b/.github/workflows/frontend-release.yml index 93b8361a8..281532985 100644 --- a/.github/workflows/frontend-release.yml +++ b/.github/workflows/frontend-release.yml @@ -41,6 +41,11 @@ jobs: matrix: os: [macos-latest, windows-latest, ubuntu-latest] runs-on: ${{ matrix.os }} + # Gates the signed release behind the `release` environment's required + # reviewers: any write-access user can push a desktop-v* tag, but only + # designated approvers can let the build that consumes the signing secrets + # proceed. Configure reviewers in repo Settings > Environments > release. + environment: release permissions: contents: write defaults: @@ -157,6 +162,7 @@ jobs: # finishes before publish-feed, but the feed is not gated on it. release-intel: runs-on: macos-13 + environment: release # same approval gate as the matrix release job permissions: contents: write defaults: